nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Windows 10 security question: How do miscreants use these for post-hack persistence?

Anonymous Coward
Anonymous Coward

Windows 10 just gets worse with every iteration

LDS
Silver badge

When your reference model is the dumbest user you can find, there are no other possible outcomes. I wonder who at Microsoft is such reference user...

Charles 9
Silver badge

You make it sound like it should require a license to use a computer: something normally used inside one's own home.

GnuTzu
Bronze badge
Facepalm

It's 2018, And...

"...Windows 10’s password reset questions are in effect hard-coded; you cannot define your own questions..."

"Hard-coded" is bad enough, but I've seen too many really lame security questions--with topics that some people chat about on social media--seriously, and that crap has to stop.

And, it can be done by way of the registry. I... just... don't... know... what else to say.

Tom 35
Silver badge

Re: It's 2018, And...

""Hard-coded" is bad enough, but I've seen too many really lame security questions"

You don't have to give the real answer. Even the bank has a fake "mother's maiden name" so if anyone digs up the info it's not going to do them any good.

Your pet Could be Bl3gLnert7b

DJV
Silver badge

"I wonder who at Microsoft is such reference user"

I thought Steve Ballmer had left ages ago...

Down not across

You make it sound like it should require a license to use a computer: something normally used inside one's own home.

Did you read the article?

From the article:

As for protecting against this post-attack persistence problem? “Add additional auditing and GPO settings,” said Sela. The two also suggested that Microsoft allows custom security questions as well as the ability to disable the feature altogether in Windows 10 Enterprise. The presentation slides are available here (PDF). ®

...makes it quite clear it is not really about home use, but using Win 10 in corporate environment.

The hardcoding issue applies home as well of course, but as many have said (and I presume most of us do already) there is no need to give real answers to the questions.

Michael Wojcik
Silver badge

Re: It's 2018, And...

You don't have to give the real answer

Then your "I forgot my password" responses become another set of passwords, and you've defeated the mechanism that protects you from that failure mode.

And that may be fine. Maybe you never experience that failure mode; maybe you have your own protection mechanism (e.g. you write those false answers down somewhere). But it does demonstrate just how feeble the entire password-reset process is. Either it turns one failure mode (forgotten password) into a worse one (password subversion by an attacker); or it turns that former failure mode into another version of itself.

2+2=5
Silver badge
Happy

Useful...

“In order to prevent people from reusing their passwords, Windows stores hashes of the old passwords. They’re stored under AES in the registry. If you have access to the registry, it’s not that hard to read them. You can use an undocumented API and reinstate the hash that was active just before you changed it.

Sounds useful - when my employer insists I change my password I can then immediately revert it back and carrying on using the old one indefinitely!

Anonymous Coward
Anonymous Coward

Trade secret ...

... you NEVER actually give the true answer anyway ...

Sir Runcible Spoon
Silver badge
Facepalm

Re: Trade secret ...

I think you may have missed the point :)

Unless that was intended as sarcasm - hard to tell.

RobinCM

NLA

Pretty sure that's on by default, and the machine will reject connections if the client doesn't support it or doesn't want to use it.

N2
Silver badge
Joke

The most secure version of Windows...

Coat.

FlamingDeath
Bronze badge

I just wish software houses stopped pushing out shit untested code

There needs to be a law and heavy fines, perhaps a fee to be paid for every patch issued.

Maybe, just maybe, they will invest in proper testing and QA, I suggest this cost comes straight from the shareholders dividend pot

Am I the only one who sees this for the very serious problem it is, I mean FFS we're likely to have automated cars soon, this clusterfuck in software development practice cannot continue in its current form

Where is the accountability?

zekepliskin

Tempting fate

Don't tell Microsoft to change anything! Based on the October 2018 update fiasco if they amended user login settings it would end up deleting the user entirely in the next update, or make it so the login button failed to work. Chaps, they released an update that can make previously working systems blue screen on next boot. Tempting fate is a bad idea...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing